HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Who Do You Report HIPAA Violations To?

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to implement safeguards to ensure the privacy of patients is protected and protected health information (PHI) is secured, but what happens when patient privacy is violated or unsecured PHI is used or disclosed impermissibly? Who do you report HIPAA violations to?

Who do You Report HIPAA Violations To?

If you suspect that HIPAA Rules have been violated by a HIPAA covered entity, a HIPAA business associate, or a subcontractor with whom PHI has been shared, it is important that the violation is reported to allow an investigation to take place.

HIPAA violations frequently occur as a result of human error, a misunderstanding of HIPAA regulations, or in some cases, deliberate or willful violations of HIPAA Rules occur. A covered entity or business associate may not be aware that a HIPAA violation has occurred, and should be given the opportunity to correct errors and prevent similar violations from occurring in the future.

How Can Healthcare Employees Report HIPAA Violations?

If you are employed by a HIPAA-covered entity or business associate, who do you report HIPAA violations to? Ideally, the complaint should be filed with your HIPAA compliance officer, or failing that, the matter should be brought to the attention of your supervisor. This will give your employer the opportunity to act quickly to prevent any further violations of HIPAA Rules.

If action is not taken to address the problem, or if  employees would rather bypass this step, they can submit a complaint to the Office for Civil Rights (OCR). In order for OCR to investigate, OCR will need to be informed of the type of violation – including when it occurred, if it is ongoing, and when it was discovered. Complaints must be filed within 180 days of discovery of the violation – any later and OCR will not investigate, although extensions may be granted under certain circumstances.

How Can Patients Report HIPAA Violations?

If you are a patient, health plan member, or concerned member of the public who do you report HIPAA violations to?

In the first instance, a complaint should be lodged with the covered entity in question to allow them to investigate internally and take action. Healthcare organizations employee a HIPAA compliance officer to oversee their compliance obligations. This is likely to be a dedicated role in a large healthcare organization, or smaller healthcare providers may assign compliance duties to an individual on top of other duties.

Complaints by patients, health plan members, and members of the public can also be filed with OCR directly. It is not a requirement to first report the incident to the covered entity. Patients can bypass this step submit a complaint to OCR about a privacy violation or another type of HIPAA violation that has come to their attention.

OCR will assess complaints for HIPAA violations and will conduct an investigation if there are grounds for a complaint. While anonymous complaints can be submitted, OCR will only investigate complaints if the complainant is named and contact details are provided. As with reports of HIPAA violations by employees of covered entities and business associates, complaints by members of the public must be filed within 180 days of discovery of the violation.

Who do You Report HIPAA Violations To? FAQs

What is the Office for Civil Rights?

The Office for Civil Rights is an agency within the Department of Health & Human Services which enforces federal civil rights laws, conscious and religious freedom laws, HIPAA, and the Patient Safety Act. Since the passage of HIPAA and the subsequent publication of the Privacy Rule, the Office for Civil Rights (OCR) has received more than 300,000 complaints and reports of HIPAA violations.

Why might a patient file a complaint to OCR?

The three most common complaints to OCR from patients concern privacy violations such as impermissible uses and disclosures of PHI (for example, using a patient´s PHI for marketing purposes without the patient´s authorization), lack of patient access to PHI, and uses and disclosures of more PHI than necessary in violation of the minimum necessary standard.

Other than privacy violations, what other types of complaints can a patient make?

Patients can make a complaint to OCR about any type of HIPAA violation – for example, the failure to provide a Notice of Privacy Practices, the failure to comply with a restrictive access request (i.e., restricting who PHI is disclosed to), and the failure to contact them by a pre-requested communication channel (i.e., contacting a patient by voice message rather than SMS).

It is also the case that a patient can make a non-specific complaint about a HIPAA violation by a covered entity. For example, a patient might share a unique identifier with a hospital, only to find out the identifier has been leaked. The patient knows a HIPAA violation has occurred because no-one else has access to the identifier, but doesn´t know the specific circumstances of the violation.

What if a volunteer at a hospital sees a HIPAA violation? Who do they report it to?

Under HIPAA, a volunteer at a hospital is considered to be part of the hospital´s workforce because they are under the direct control of the hospital, even though they are not being paid by the hospital. Therefore, the procedures for reporting a violation of HIPAA are exactly the same for a volunteer as they are for an employee.

Where can I find out who is a hospital´s compliance officer?

Covered entities should publish the contact details of their compliance officer on their websites. Sometimes, as mentioned above, the role of compliance officer could be added to an existing role, so it may be difficult to find an individual with the title “Compliance Officer”. If you are still unsure of where to direct your complaint, call the hospital and ask.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.